The GDPR: what you need to know

Nick Pester, Partner and Head of Insurance and InsurTech at Capital Law, provides an overview of the upcoming General Data Protection Regulation and discusses how it might affect insurers and InsurTech start-ups.

Investment in InsurTech is booming. Although the US still leads the way in terms of InsurTech investment, the UK saw a 100% increase in cash pouring into the sector in 2016. It is likely that 2017 will see the same, if not greater, level of growth. Many of the business models being funded revolve around the better collection and use of data, either in marketing/distribution propositions or in products to improve insurers’ products or operations.

But there is a storm on the horizon for which insurers and InsurTech companies need to prepare if their growth ambitions are to be fulfilled: the General Data Protection Regulation (“GDPR”).

What is theGDPR?

The GDPR is a European regulation which imposes onerous obligations on any entity which controls or processes personal data. It also provides individuals (‘data subjects’) with improved rights, including the right to have their identifiable personal data to be erased at any time.

This is a big change to the current position: under the Data Protection Act 1998, companies which merely process personal data are not directly accountable to data subjects for any breach of regulations. This means that companies who are online distributors (but not producers) of insurance have a higher regulatory bar.

The GDPR comes into force on 25 May 2018. This means that any insurance policies in force on that date have to be compliant – the de facto insurance deadline is therefore 26 May 2017. Punishment for any breach can amount to 4% of annual turnover, or €20m – whichever is greater.

Companies engaged in significant volumes of data processing are likely to have to appoint a Data Protection Officer.

How will the GDPR impact insurance?

The GDPR will have a major impact on the way insurance products are manufactured and how data is governed. Arguably, however, the GDPR merely formalises what has already been recognised in a business sense; that is, that companies need to adopt a more customer (as opposed to product) centric approach to data.

The GDPR introduces the concept of ‘privacy by design’, which means that the protection of personal data must be of primary importance when developing new products. Unless data processing can be justified in legal terms, then clear customer consent must be evidenced.

The greatest impact, might, therefore be on the processing and use of data for ancillary purposes e.g. marketing, cross-selling, and profiling. Unless such personal data is adequately anonymised / encrypted prior to analysis then it will now require explicit consent from the data subject, who will also be able to withdraw that consent at any time.

This is likely to necessitate greater governance around the way InsurTech start-ups and their teams of employed or non-employed developers and data scientists use data.

From a practical perspective, however, start-ups might find it easier to comply with the regulation: they have fewer and often more up-to-date data sources and are less constrained by legacy systems and processes for data processing than established insurers.

Overall, it is likely that datasets with ‘ready-made’ and compliant consents attached are likely to become extremely valuable in future. We expect to see products being developed to exploit this opportunity – Port is an example of a company building such a proposition.

What are the key ‘action points’ before it arrives?

The GDPR will require insurers and InsurTech companies to carry out a full review of their existing data processing activities, and to start thinking about more efficient and innovative ways to obtain consents where required.

Legacy data: For companies who already have established (and often vast) banks of data, it’s time to start working out what that data is currently being used for, whether it needs to be retained (and, if so, what for), and whether the form of consents now required are already in place or need to be obtained. This could well be a significant exercise for large company market insurers with years of personal data to sift through.

Consents: How are consents presently obtained from customers? Are privacy notices clear and detailed enough to evidence compliance with the GDPR? Are they wide enough to capture all of the processing activities which the company wishes to undertake? Where the product is dependent upon recurrent access to personal data as and when it’s updated, what is the most efficient way to obtain the necessary consents? All of these questions need to be addressed now, particularly given the requirement for all insurance policies issued on or after 26 May 2017 to be GDPR compliant.

GDPR infrastructure: does the product / business model rely upon the regular processing of significant amounts of personal data? If so then businesses need to make sure that the necessary Privacy Impact Assessments (“PIA”) have been carried out, and, if required, that a Data Protection Officer has been appointed and adequately appraised of their duties.

GDPR primer: what are the ‘need to know’ changes?

The new rules will make those entities who purely process personal data (‘data processors’) directly liable for compliance and breaches, alongside those companies which collect, retain, and determine how personal data is used (‘data controllers’). This means that pure intermediary platforms / products (e.g. comparison websites) can be directly liable to the data subject for any breach.

Any company at a very early development stage should be aware of the need for ‘data privacy by design’; that is, it will need to evidence that data privacy obligations were at the forefront of its thinking when shaping the development of a product.

Consent will always be required where either (i) personal data is being processed for ancillary purposes (i.e. non-essential to the performance of a contract), and (ii) for processing Sensitive Personal Data – i.e. data relating to a living identifiable person’s race/ethnic origin, political opinion, religious beliefs, trade union membership, physical or mental condition or sexuality.

Parental consent will be required to process the personal data of children aged 16 and under.

Improved rights for data subjects – any individual will have the right to (i) withdraw consent where explicitly given, (ii) request erasure of their personal data, and (iii) request a copy of their personal data.

Where large scale automated processing is undertaken a privacy impact assessment (‘PIA’) will need to be carried out considering the respective risks to and rights of the data subject.

If it the automated processing is on a particularly significant scale or involves special categories of data (e.g. criminal convictions) then the company will need to appoint an independent Data Protection Officer, to advise on its obligations and to monitor compliance.

Any breach of security leading to loss, alteration, unauthorised disclosure of, or access to, personal data must be notified to the Information Commissioner’s Office (‘ICO’) within 72 hours of the breach, and affected data subjects must be notified without undue delay where the breach is serious.